The increasing number of third-party data breaches and the sensitive information they expose have negatively impacted consumer trust. Third-party breaches occur when sensitive data is stolen from a third-party vendor or when their systems are used to access and steal sensitive information stored on your systems.
In today's interconnected economy, companies rely on third-parties. It's increasingly common to outsource large parts of your business to dedicate vendors who specialize in that function, whether that be via a SaaS vendor, third-party service provider, or contractor.
These third parties aren't typically under your organization's control and its unlikely that they provide complete transparency into their information security controls. Some vendors can have robust security standards and good risk management practices, while others may not.
This means they each vendor, whether directly or indirectly, impacts your cybersecurity.
For example, a 2019 eSentire survey found that 44% of all firms surveyed had experienced a significant data breach caused by a third-party vendor. And the 2019 Cost of a Data Breach Report from Ponemon Institute and IBM found that third-party involvement was one of the five biggest cost amplifiers, increasing the average cost by more than $370,000 to $4.29 million.
1. Assess your vendors for before onboarding
Onboarding third-party vendors who will have access to your network and sensitive data without measuring the cybersecurity risk they introduce is risky. Yet, too many organizations fail to perform adequate due diligence during the vendor selection process.
An easy way to assess a potential vendor without introducing operational overhead for your vendor management team is to use security ratings. Security ratings have been widely adopted because they supplement and can sometimes replace time-consuming vendor risk assessment techniques like questionnaires, on-site visits, and penetration tests.
Security ratings let you instantly understand the external security posture of a potential vendor and what cyber threats they may be susceptible to. This greatly reduces the operational burden on TPRM teams during vendor selection, due diligence, onboarding, and monitoring. Additionally, the reports can be shared with vendors and used to remediation issues.
Because UpGuard measures externally verifiable controls, this pre-assessment can be done without requiring consent or work from a vendor. You can even benchmark and compare a vendor against their peers and others in their sector to help you make an informed decision about which vendor you should select.
The result is a more accurate, real-time picture of the risk the vendor will introduce to your supply chain, without having to spend time completing costly risk assessments, penetration tests, or vulnerability scans.
2. Incorporate risk management into your contracts
Make a practice of incorporating cyber risk into your vendor risk management program and vendor contracts. While this won't prevent a third-party data breach, it means your vendors will be held accountable should their security posture weaken.
Many of our customers incorporate security ratings into their contracts. For example, some stipulate that a vendor who processes personal information or credit cards must maintain a security rating above 900, or risk having their contract terminated.
We also recommend incorporating SLAs into your contracts so you can steer the cybersecurity risk management behavior of your vendors. Consider adding language that requires your vendors to communicate or even remediate any security issues within a certain time frame, such as 72 hours for high-risk issues. Additionally, consider adding the right to request a completed security questionnaire once per quarter as they can highlight issues that are missed by external security scanning.
3. Keep an inventory of your in-use vendors
Before you can adequately determine the risk your third-party vendors introduce, you need to understand who all your third-parties are, and how much is being shared with each of them.
Without an inventory of your third-party relationships, it's impossible to measure the level of risk vendors introduce. Despite this, only 46% of organizations perform cybersecurity risk assessments on vendors who handle sensitive data.
As simple as this sounds, it's not always easy to know all the vendors used by your organization. Especially if you work at a large organization.
This is where tools like UpGuard Vendor Risk can help. We can help you find and monitor your vendors using our instant vendor search. Our platform scans and scores millions of companies every day to give you instant access to vendor security ratings. If we don't currently monitor the company, you can easily add it to your monitored vendor list and we'll start scanning it from the moment you add it.
4. Continuously monitor vendors for security risks
A vendor's security posture can, and will, change over the course of your contract. That's why it's critical for you to continuously monitor their security controls over time.
The trouble is, most organizations don't continuously monitor their vendors. Instead, they rely on point-in-time assessments, such as audits or security questionnaires, which are typically only a snapshot of an organization's security posture.
There is definitely a place for these types of assessments as they highlight issues that are often missed by external scanning solutions, that's why UpGuard Vendor Risk has tools to help you automate security questionnaires.
However, they are not well placed as a continuous security monitoring solution.
5. Collaborate with your vendors
While you can never fully prevent third-party unauthorized access, cyber-attacks, and security breaches, it's important to work collaboratively, not combative, with vendors to reduce risk and fix security issues quickly.
There are several UpGuard Vendor Risk features that support this process.
For example, you can use our Portfolio Risk Profile to prioritize the most critical risks across your vendor ecosystem and request remediation through our platform to ensure risks are resolved quickly and with an audit trail. This facilitates outreach and allows you and your vendor to understand what needs to be fixed and why it poses a risk to end-users and personal data.
6. Talk about third-party risk
The highest-performing organizations (those who have been able to avoid a breach in the last year and those with mature risk management programs) have engaged leadership.
According to the Ponemon Insitute's Data Risk in the Third-Party Ecosystem report, 53 percent of respondents within high-performing organizations said they have board and executive-level engagement, compared to just 25 percent of respondents among organizations that have experienced a third-party data breach.
This engagement means that the leadership at the highest performers are aware of the importance of protecting confidential information, as well as increasingly stringent privacy practices driven by the introduction of general data protection regulation around the world, such as GDPR, LGPD, CCPA, FIPA, PIPEDA, and the SHIELD Act.
This is why UpGuard Vendor Risk has in-built executive reporting, which includes:
- The average score of our vendors over time
- The distribution of your vendor scores
- Your highest and lowest scoring vendors
- The technologies most commonly used by your vendors
7. Cut ties with bad vendors
If a small business or third-party vendor is unable to meet your standards, or if they've suffered from a ransomware attack or data breach, are you willing to cut ties? And if you are willing to, do you have the processes in place to successfully offboard the vendor without causing business continuity issues?
Lots of companies are good at onboarding vendors, but struggle to properly offboard them. The most secure organizations care about the details and understand that proper offboarding is an important part of third-party risk management.
If you're not sure which vendors pose the highest risk to your organization, consider signing up for a free seven day trial of the UpGuard platform. We'll be able to show you which vendors have the worst security posture.
8. Measure fourth-party risk
As important as it is to understand your third-party risk, it's also important to know who your third-parties rely on. These organizations are known as your fourth-party vendors and they introduce fourth-party risk.
Just as organizations are quickly adopting multi-factor authentication, we see our best customers contractually requiring vendors to notify them when they share data with a fourth or fifth party. This allows them to track sensitive information sharing and better understand who has access.
UpGuard Vendor Risk's Concentration Risk module automatically detects your many of your fourth-parties and shows you which fourth-party vendor you have the most exposure to. This can help you plan for business continuity too. For example, if you know that 30 of your critical vendors rely on AWS, you may opt to chose other vendors who use Google Cloud Platform to spread out the risk that an outage at one of these cloud providers would result in you being unable to conduct business as usual.
9. Follow the principle of least privilege
Many third-party data breaches occur because the third-party is provided with more access than they need to do their job.
Consider investing in a robust role-based access control system that follows the principle of least privilege (POLP), the practice of limiting access rights for users, accounts, and computing processes to only those needed to do the job at hand.
10. How UpGuard can prevent third-party data breaches
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security operations.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.
This includes open ports and other services that are exposed to the public Internet. Our platform explicitly checks for nearly 200 services running across thousands of ports, and reports on any services we can't identify, as well as any open ports with no services detected.
You can read more about what our customers are saying on Gartner reviews.
If you'd like to see your organization's security rating, click here to request your free Cyber Security Rating.